Bogdan Enache skrev den 2013-06-08 12:09:
mx1 postfix/smtpd[1069]: warning: unknown[89.xx.xx.xx]: SASL LOGIN
authentication failed: UGFzc3dvcmQ6
Which is perfectly normal.
normal in what way ?
i have seen this here aswell with that user
But how can I also show the username that was tried in the logs? I
want
to see:
1. Which user keeps entering the wrong password.
UGFzc3dvcmQ6 is a user that uses somekind of tor networking where port
25 is not gething direct, so we all see him using more then one ip in
postfix
2. What user is someone else trying to hijack.
UGFzc3dvcmQ6 is the user that try to use your postfix to sendmail, it
does not matter if that user is not local, its the auth you see trying
being abused on your host
i have seen at most 100000 failed logins here for that user, so pretty
common here as well
i have limited it here to remove sasl auth on port 25, and on port 587
i have limited ipranges to just be the networking users is on, this
stops it very well for me
I need this because a user of mine was hijacked a few days ago. I
have
fail2ban installed and working (banning IPs for 1 hour after 10
incorrect passwords), but looking through the logs in the last month
I
realized this might have been a distributed attack actually.
UGFzc3dvcmQ6 make a fail2ban rule to catch this in logs, and make it
perm firewalled, not just let fail2ban do its work
Running postfix 2.5.9.
pretty old :)
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
